Video game giant Nintendo announced their investigation of a data breach after users began reporting suspicious activity. As part of the Nintendo data breach investigation, the company found that more than 160,000 accounts may have been compromised by unauthorized users due to an issue with legacy login procedures. On 4/29/2020 security provider SpyCloud announced that credential stuffing was the cause of the Nintendo data breach. However, Nintendo would not confirm or deny.

Legacy login systems allow longtime customers the ability to log into updated or revamped platforms for companies they have used in the past. Their old logins enable them to access a new site within the same company without having to create an entirely new account—or lose their previously stored information.

As Nintendo has gone through a variety of iterations over the years, Nintendo’s login system made sense for some time. For example, users who had created a Nintendo Network ID (NNID) for the 3DS system or Wii U did not have to establish brand-new Nintendo accounts now that they were Nintendo Switch owners. Unfortunately, due to the Nintendo data breach, the NNID legacy system was compromised by malicious actors, which allowed unauthorized access to certain accounts. This gave the hackers access to those users’ stored payment methods, including PayPal accounts and payment cards that were stored on file.

The card numbers and account numbers were not accessible. The only thing hackers could do with the cards was make purchases in the Nintendo system for things like V-Bucks, a virtual currency used in the game Fortnite. However, NNIDs that were linked to Nintendo accounts may have also compromised information like usernames, email addresses and birthdates, all of which can be used to target victims with spam, phishing attempts and ransomware.

The legacy NNID was being used to gain access to the current Nintendo network, which means current payment methods. That creates a single point of failure.

Due to the Nintendo data breach, the video game company launched a forced reset for the affected passwords and disconnected the ability to use an NNID to log into a Nintendo account. For all account holders, the company recommends activating two-factor authentication to protect these accounts. This incident serves as a reminder that old or reused login credentials can still be used for harm, and should, therefore, be protected and updated frequently or canceled if no longer used. If someone has been affected by the Nintendo data breach, they can call the Identity Theft Resource Center toll-free at 888.400.5530, or live chat with an expert advisor.